Usage notes
This section describes the technical differences between on-demand backups managed by Amazon Backup and DynamoDB.
Amazon Backup has some different workflows and behaviors than DynamoDB. These include:
Encryption - Backups created with the Amazon Backup plan are stored in an encrypted vault with a key that is managed by the Amazon Backup service. The vault has access control policies for additional security.
Backup ARN - The backup files created by Amazon Backup will now
have an Amazon Backup ARN, which could impact the user permission model. Backup resource names
(ARNs) will change from arn:aws:dynamodb
to arn:aws:backup
.
Deleting backups - Backups that are created with Amazon Backup can only be deleted from the Amazon Backup vault. You will not be able to delete Amazon Backup files from the DynamoDB console.
Backup process - Unlike DynamoDB backups, backups made with Amazon Backup are not instantaneous.
Billing - Backups of DynamoDB tables with Amazon Backup features are billed from Amazon Backup.
IAM roles - If you're managing access through IAM roles, you will also need to configure a new IAM role with these new permissions:
"dynamodb:StartAwsBackupJob", "dynamodb:RestoreTableFromAwsBackup"
dynamodb:StartAwsBackupJob
is needed for a successful backup with Amazon Backup
features, and dynamodb:RestoreTableFromAwsBackup
is needed to restore from a
backup made with Amazon Backup features.
To see these permissions in a complete IAM policy, see Example 8 in Using IAM.